Hot!ask - IPSEC without IP Public for internet connection

ask - IPSEC without IP Public for internet connection

Hi there,

need help please. We have 2 FG60D and 2 FG30E.we like to create VPN IP Sec with these condition:1. MainBranch, use FG 60D, have internet connection with IP Public Dynamic.2. other branches, use internet connection with IP Private from internet provider.

Is there specific guidance to create VPN IPSEC between mainbranch and other branches?

thanks for your reply.as my understanding from your reply, so DDNS also applied to Private IP (behind NAT). is it correct?out of question, commercial DDNS like DynDNS also can be applied to this method?

Before you get lost...no, dynDNS with a private IP address won't work. How do you route to a private IP address??

So (as emnoc already posted) your branches have to dial-in to the MainBranch (very unlucky name, better use "HQ" or so). The MainBranch/HQ with it's dynamic IP address needs to subscribe to a DynDNS service, the other branches do not need any. Fortinet offers this service for free (as long as you have a valid FortiCare contract) but you could use dyndns.org as well.And use peer IDs on your branches so that the MainBranch/HQ can determine which one is calling in.

The FortiOS Handbook, ch. "VPN", is an excellent source of information (docs.fortinet.com).